Visual Studio Code devcontainers: how to trust our self-signed proxy/firewall certificate?

Question

My corporate firewall is breaking TLS/SSL connections. I'd like to add a root certifiate to VSCode trust store. Is it possible?

None of the below settings seem to affect devcontainers HTTP connections:

"http.experimental.systemCertificatesV2": false
"http.systemCertificates": false
"http.proxyStrictSSL": false

.devcontainer.json

{
    "features": {
        "ghcr.io/devcontainers/features/java:1": {
           "installMaven": "true"
       }
     },

    "name": "Java",
    "image": "mcr.microsoft.com/devcontainers/java:1-21-bullseye"
}

Error:

Resolving Feature dependencies for 'ghcr.io/devcontainers/features/java:1'...
* Processing feature: ghcr.io/devcontainers/features/java:1
Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (node:_tls_wrap:1553:34)
    at TLSSocket.emit (node:events:514:28)
    at TLSSocket._finishInit (node:_tls_wrap:970:8)
    at TLSWrap.onhandshakedone (node:_tls_wrap:746:12)

Answer 1

Somewhat late with an answer. I had the same problem. If your container is running Debian or a derivative, you can install a trusted root by creating a script and running it as a postCreateCommand in your devcontainer.json file. My script consists of:

sudo cp ./.devcontainer/myroot.crt /usr/local/share/ca-certificates/myroot.crt
sudo update-ca-certificates

The file type must be .crt and you should add it to the .devcontainer directory. This will add the certificate to the container's trusted root store.

If your container is running something other than Debian or a derivative, you should still be able to find a mechanism to add a new trusted root to it and accomplish the same.